Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[windows] Add Initial AppLocker Data Stream (EXE and DLL) #6977

Merged
merged 44 commits into from
Jul 26, 2023
Merged

[windows] Add Initial AppLocker Data Stream (EXE and DLL) #6977

merged 44 commits into from
Jul 26, 2023

Conversation

nicpenning
Copy link
Contributor

@nicpenning nicpenning commented Jul 17, 2023
edited
Loading

  • Enhancement

What does this PR do?

This is the first iteration of adding the AppLocker event logs to the Windows Integration.

Resolves Part of - #6979

Improved ECS, pipelines, and dashboards will come with future PRs.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@nicpenning
Add files via upload
16d78d5
@nicpenning
Update manifest.yml
5ba71b2
@nicpenning
Delete packages/windows/_dev/deploy/docker directory
26ac25a
@nicpenning
Update README.md
2f9eb32
@nicpenning
Update README.md
a8eda83
@nicpenning
Update README.md
ada07e4
@nicpenning
Update base-fields.yml
10e037d
@nicpenning
Update sample_event.json
de096e0
@nicpenning
Update default.yml
2aa5e3e
@nicpenning
Merge branch 'elastic:main' into initial-applocker-datastream
0f6555e
@nicpenning
Changes to be committed:
940102c 
	modified:   windows/changelog.yml
	modified:   windows/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml
	modified:   windows/data_stream/applocker_exe_and_dll/fields/winlog.yml
	modified:   windows/data_stream/applocker_exe_and_dll/manifest.yml
	modified:   windows/data_stream/applocker_exe_and_dll/sample_event.json
	modified:   windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json
	modified:   windows/docs/README.md
	modified:   windows/manifest.yml
@nicpenning nicpenning requested review from a team as code owners July 17, 2023 11:22
@nicpenning nicpenning mentioned this pull request Jul 17, 2023
Closed
4 tasks
@nicpenning nicpenning changed the title [windows] Add Initial AppLocker Data Stream [windows] Add Initial AppLocker Data Stream (EXE and DLL) Jul 17, 2023
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@nicpenning
Copy link
Contributor Author

Ready for review. 👍🏻

efd6
efd6 reviewed Jul 17, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs pipeline tests, and system tests if possible.

packages/windows/_dev/deploy/docker/docker-compose.yml Outdated Show resolved Hide resolved
packages/windows/_dev/deploy/docker/files/config.yml Show resolved Hide resolved
packages/windows/changelog.yml Outdated Show resolved Hide resolved
packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs Outdated Show resolved Hide resolved
packages/windows/data_stream/applocker_exe_and_dll/elasticsearch/ingest_pipeline/default.yml Outdated
field: winlog.event_data.User
target_field: "_temp.user_parts"
separator: '\\'
if: ctx?.winlog?.event_data?.User != null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/ctx\?\./ctx./g

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are we looking at here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx?.winlog?.event_data?.User != null
if: ctx.winlog?.event_data?.User != null

Copy link
Contributor

@efd6 efd6 Jul 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should happen throughout. For clarity (I missed the mark), the original comment is a sed global search and replace expression: search for re:"ctx?." and replace all instances with "ctx.".

packages/windows/data_stream/applocker_exe_and_dll/sample_event.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not appear to have been generated by a system test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was not. I must have missed that. Since there isn't any sample documents, perhaps that wasn't possible?

I have a hard time understanding how one obtains a sample document from a log source that lives in the Windows event viewer.

I essentially cloned the PowerShell data stream and tried to clean it up and generate where I could.

Thank you for the review and quick responses!

nicpenning and others added 2 commits July 17, 2023 18:05
@nicpenning @efd6
Update packages/windows/data_stream/applocker_exe_and_dll/agent/strea…
bd3d6b6 
…m/winlog.yml.hbs

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@nicpenning @efd6
Update packages/windows/changelog.yml
ac65b48 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@elasticmachine
Copy link

elasticmachine commented Jul 17, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-07-26T02:39:00.849+0000

  • Duration: 17 min 35 sec

Test stats 🧪

Test Results
Failed 0
Passed 134
Skipped 0
Total 134

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

nicpenning and others added 2 commits July 17, 2023 18:22
@nicpenning
Add files via upload
03f0792
@nicpenning @efd6
Update packages/windows/data_stream/applocker_exe_and_dll/elasticsear…
6f5f707 
…ch/ingest_pipeline/default.yml

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@nicpenning
Copy link
Contributor Author

I will see what I can do for the pipeline and system tests and also generate the sample event from said tests.

@nicpenning
Copy link
Contributor Author

@efd6, do you have a link to some documentation or a recommendation on how to create the test-events.json?

I have plenty of example events but unsure how to dump them before they get sent to the Integration. Do I run the agent in debug mode? Is there some configurations I can make to extract test-events?

@nicpenning
Copy link
Contributor Author

Yes, that is how I know it works and how I found some ingest errors when testing.

@efd6
Copy link
Contributor

efd6 commented Jul 24, 2023

Cool. So that I imagine is for the winlog case? Has the httpjson case been tested? I don't think we can expect to test the winlog case, but httpjson is just sending POST requests, so we should be able to simulate that.

@nicpenning
Copy link
Contributor Author

Correct, that is for the winlog input. I have not tested the httpjson case, but in theory, I should have all of the files in place to test that.

@efd6
Copy link
Contributor

efd6 commented Jul 24, 2023

OK. So let's test the HTTPJSON case and leave the winlog case, noting that it has been tested in the wild.

@nicpenning
Copy link
Contributor Author

The system tests fail. I am unsure how to run just the splunk test, but either way, it appears to be running since I see an agent get created in Kibana.

napsta@TOPSYLL:~/integrations/packages/windows$ elastic-package test system --data-streams applocker_exe_and_dll
Run system tests for the package
2023/07/24 09:05:54  INFO License text found in "/home/napsta/integrations/LICENSE.txt" will be included in package
2023/07/24 09:16:21  WARN failed to uninstall package "windows": can't remove the package: could not remove package; API status code = 400; response body = {"statusCode":400,"error":"Bad Request","message":"unable to remove package with existing package policy(s) in use by agent(s)"}
2023/07/24 09:16:22  INFO Write container logs to file: /home/napsta/integrations/build/container-logs/splunk-mock-1690208182508628734.log
Error: error running package system tests: could not complete test run: could not find hits in logs-windows.applocker_exe_and_dll-ep data stream

This is from an filebeat event in regards to the splunk mock.

field value
id httpjson-windows.applocker_exe_and_dll-3802ec20-2a2b-11ee-94b2-27a6b5143b46
input_source http://elastic-package-service_splunk-mock_1:8080/services/search/jobs/export
input_url http://elastic-package-service_splunk-mock_1:8080/services/search/jobs/export
input.type filestream
log.file.path /usr/share/elastic-agent/state/data/logs/elastic-agent-20230724.ndjson
log.level error
log.logger input.httpjson-cursor
log.offset 1,212,753
log.origin.file.line 510
log.origin.file.name httpjson/request.go
log.source httpjson-default
message error processing response: invalid character 'h' after object key:value pair
service.name filebeat

And here are the logs from the file path mentioned above from the docker container:

Attaching to elastic-package-service_splunk-mock_1
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.242Z","caller":"command/httpserver.go:38","msg":"mock server running...","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.245Z","caller":"httpserver/httpserver.go:115","msg":"Setting up rule #0 for path \"/services/search/jobs/export\"","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.245Z","caller":"httpserver/httpserver.go:115","msg":"Setting up rule #1 for path \"/services/search/jobs/export\"","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.247Z","caller":"httpserver/httpserver.go:115","msg":"Setting up rule #2 for path \"/services/search/jobs/export\"","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.248Z","caller":"httpserver/httpserver.go:115","msg":"Setting up rule #3 for path \"/services/search/jobs/export\"","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.248Z","caller":"httpserver/httpserver.go:115","msg":"Setting up rule #4 for path \"/services/search/jobs/export\"","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:05:53.249Z","caller":"httpserver/httpserver.go:92","msg":"listening on [::]:8080","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:06:12.995Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #1 => Request path: POST /services/search/jobs/export?index_earliest=1690207562&index_latest=1690207572&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:06:22.998Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #2 => Request path: POST /services/search/jobs/export?index_earliest=1690207572&index_latest=1690207582&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:06:33.000Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #3 => Request path: POST /services/search/jobs/export?index_earliest=1690207582&index_latest=1690207592&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:06:41.502Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #4 => Request path: POST /services/search/jobs/export?index_earliest=1690207591&index_latest=1690207601&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:06:51.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #5 => Request path: POST /services/search/jobs/export?index_earliest=1690207601&index_latest=1690207611&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:01.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #6 => Request path: POST /services/search/jobs/export?index_earliest=1690207611&index_latest=1690207621&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:11.504Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #7 => Request path: POST /services/search/jobs/export?index_earliest=1690207621&index_latest=1690207631&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:21.506Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #8 => Request path: POST /services/search/jobs/export?index_earliest=1690207631&index_latest=1690207641&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:31.506Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #9 => Request path: POST /services/search/jobs/export?index_earliest=1690207641&index_latest=1690207651&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:41.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #10 => Request path: POST /services/search/jobs/export?index_earliest=1690207651&index_latest=1690207661&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:07:51.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #11 => Request path: POST /services/search/jobs/export?index_earliest=1690207661&index_latest=1690207671&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:01.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #12 => Request path: POST /services/search/jobs/export?index_earliest=1690207671&index_latest=1690207681&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:11.504Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #13 => Request path: POST /services/search/jobs/export?index_earliest=1690207681&index_latest=1690207691&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:21.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #14 => Request path: POST /services/search/jobs/export?index_earliest=1690207691&index_latest=1690207701&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:31.506Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #15 => Request path: POST /services/search/jobs/export?index_earliest=1690207701&index_latest=1690207711&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:41.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #16 => Request path: POST /services/search/jobs/export?index_earliest=1690207711&index_latest=1690207721&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:08:51.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #17 => Request path: POST /services/search/jobs/export?index_earliest=1690207721&index_latest=1690207731&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:01.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #18 => Request path: POST /services/search/jobs/export?index_earliest=1690207731&index_latest=1690207741&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:11.504Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #19 => Request path: POST /services/search/jobs/export?index_earliest=1690207741&index_latest=1690207751&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:21.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #20 => Request path: POST /services/search/jobs/export?index_earliest=1690207751&index_latest=1690207761&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:31.506Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #21 => Request path: POST /services/search/jobs/export?index_earliest=1690207761&index_latest=1690207771&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:41.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #22 => Request path: POST /services/search/jobs/export?index_earliest=1690207771&index_latest=1690207781&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:09:51.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #23 => Request path: POST /services/search/jobs/export?index_earliest=1690207781&index_latest=1690207791&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:01.504Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #24 => Request path: POST /services/search/jobs/export?index_earliest=1690207791&index_latest=1690207801&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:11.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #25 => Request path: POST /services/search/jobs/export?index_earliest=1690207801&index_latest=1690207811&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:21.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #26 => Request path: POST /services/search/jobs/export?index_earliest=1690207811&index_latest=1690207821&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:31.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #27 => Request path: POST /services/search/jobs/export?index_earliest=1690207821&index_latest=1690207831&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:41.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #28 => Request path: POST /services/search/jobs/export?index_earliest=1690207831&index_latest=1690207841&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:10:51.505Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #29 => Request path: POST /services/search/jobs/export?index_earliest=1690207841&index_latest=1690207851&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:01.508Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #30 => Request path: POST /services/search/jobs/export?index_earliest=1690207851&index_latest=1690207861&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:15.661Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #31 => Request path: POST /services/search/jobs/export?index_earliest=1690207865&index_latest=1690207875&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:25.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #32 => Request path: POST /services/search/jobs/export?index_earliest=1690207875&index_latest=1690207885&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:35.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #33 => Request path: POST /services/search/jobs/export?index_earliest=1690207885&index_latest=1690207895&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:45.666Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #34 => Request path: POST /services/search/jobs/export?index_earliest=1690207895&index_latest=1690207905&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:11:55.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #35 => Request path: POST /services/search/jobs/export?index_earliest=1690207905&index_latest=1690207915&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:05.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #36 => Request path: POST /services/search/jobs/export?index_earliest=1690207915&index_latest=1690207925&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:15.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #37 => Request path: POST /services/search/jobs/export?index_earliest=1690207925&index_latest=1690207935&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:25.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #38 => Request path: POST /services/search/jobs/export?index_earliest=1690207935&index_latest=1690207945&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:35.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #39 => Request path: POST /services/search/jobs/export?index_earliest=1690207945&index_latest=1690207955&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:45.665Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #40 => Request path: POST /services/search/jobs/export?index_earliest=1690207955&index_latest=1690207965&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:12:55.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #41 => Request path: POST /services/search/jobs/export?index_earliest=1690207965&index_latest=1690207975&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:05.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #42 => Request path: POST /services/search/jobs/export?index_earliest=1690207975&index_latest=1690207985&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:15.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #43 => Request path: POST /services/search/jobs/export?index_earliest=1690207985&index_latest=1690207995&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:25.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #44 => Request path: POST /services/search/jobs/export?index_earliest=1690207995&index_latest=1690208005&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:35.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #45 => Request path: POST /services/search/jobs/export?index_earliest=1690208005&index_latest=1690208015&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:45.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #46 => Request path: POST /services/search/jobs/export?index_earliest=1690208015&index_latest=1690208025&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:13:55.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #47 => Request path: POST /services/search/jobs/export?index_earliest=1690208025&index_latest=1690208035&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:05.667Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #48 => Request path: POST /services/search/jobs/export?index_earliest=1690208035&index_latest=1690208045&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:15.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #49 => Request path: POST /services/search/jobs/export?index_earliest=1690208045&index_latest=1690208055&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:25.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #50 => Request path: POST /services/search/jobs/export?index_earliest=1690208055&index_latest=1690208065&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:35.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #51 => Request path: POST /services/search/jobs/export?index_earliest=1690208065&index_latest=1690208075&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:45.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #52 => Request path: POST /services/search/jobs/export?index_earliest=1690208075&index_latest=1690208085&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:14:55.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #53 => Request path: POST /services/search/jobs/export?index_earliest=1690208085&index_latest=1690208095&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:05.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #54 => Request path: POST /services/search/jobs/export?index_earliest=1690208095&index_latest=1690208105&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:15.664Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #55 => Request path: POST /services/search/jobs/export?index_earliest=1690208105&index_latest=1690208115&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:25.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #56 => Request path: POST /services/search/jobs/export?index_earliest=1690208115&index_latest=1690208125&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:35.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #57 => Request path: POST /services/search/jobs/export?index_earliest=1690208125&index_latest=1690208135&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:45.665Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #58 => Request path: POST /services/search/jobs/export?index_earliest=1690208135&index_latest=1690208145&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:15:55.665Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #59 => Request path: POST /services/search/jobs/export?index_earliest=1690208145&index_latest=1690208155&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' , Request Body: ","address":":8080"}
�[36msplunk-mock_1  |�[0m {"level":"debug","ts":"2023-07-24T14:16:05.663Z","caller":"httpserver/httpserver.go:129","msg":"Rule #4 matched: request #60 => Request path: POST /services/search/jobs/export?index_earliest=1690208155&index_latest=1690208165&output_mode=json&search=search+sourcetype%3D%22XmlWinEventLog%3AMicrosoft-Windows-AppLocker%2FEXE+and+DLL%22+%7C+streamstats+max%28_indextime%29+AS+max_indextime, Request Headers: 'Content-Type: [application/x-www-form-urlencoded]' 'Accept-Encoding: [gzip]' 'Connection: [close]' 'User-Agent: [Elastic-Filebeat/8.8.2 (linux; amd64; 92c6b2370e46e549acda91b396f665a7e51e249c; 2023-06-23 19:04:44 +0000 UTC)]' 'Content-Length: [211]' 'Accept: [application/json]' 'Authorization: [Basic dGVzdDp0ZXN0]' , Request Body: ","address":":8080"}

I don't quite uderstand what I am looking at. What do you think our next steps are?

@nicpenning
Copy link
Contributor Author

Just fixed file paths in xml.

Ready to test splunk again!

@nicpenning
Copy link
Contributor Author

nicpenning commented Jul 25, 2023
edited
Loading

I went ahead and added the convert with removal of the field as described above as the pipeline, and it appears that the system test worked.

2023/07/25 08:59:26  INFO Write container logs to file: /home/napsta/integrations/build/container-logs/splunk-mock-1690293566616699674.log
--- Test results for package: windows - START ---
╭─────────┬───────────────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM           │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────┼───────────────────────┼───────────┼───────────┼────────┼───────────────┤
│ windows │ applocker_exe_and_dll │ system    │ default   │ PASS   │ 25.715349609s │
╰─────────┴───────────────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: windows - END   ---
Done

However, I have not been able to generate the sample_event.json from the test. I tried to use:

elastic-package test system --data-streams applocker_exe_and_dll generate

However, that does not seem to do the trick (like it does for the pipeline tests). Please advise!

Update: I was able to run the elastic-package test system generate to get the sample_event.json file. I guess I forgot the dashes on the command above.

elastic-package test system --data-streams applocker_exe_and_dll --generate

Added new sample_event.json file.

Please check the convert processors I added. Otherwise, I think we are getting close!

@efd6
Copy link
Contributor

efd6 commented Jul 26, 2023

/test

@efd6
Copy link
Contributor

efd6 commented Jul 26, 2023

Needs a elastic-package build.

@nicpenning
Copy link
Contributor Author

Needs a elastic-package build.

On it

@nicpenning
Copy link
Contributor Author

Ran the build and then pushed. Good?

@efd6
Copy link
Contributor

efd6 commented Jul 26, 2023

/test

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (5/5) 💚
Files 88.889% (8/9) 👎 -11.111
Classes 88.889% (8/9) 👎 -11.111
Methods 82.178% (83/101) 👍 48.845
Lines 91.91% (5328/5797) 👎 -8.09
Conditionals 100.0% (0/0) 💚

@efd6 efd6 merged commit 841d6f7 into elastic:main Jul 26, 2023
4 checks passed
@nicpenning
Copy link
Contributor Author

🙏🏻 my first data stream added complete. Thank you @efd6 for the patience and guidance on this!! More PRs for refinement to come on these types of events. 🚀

@nicpenning nicpenning deleted the initial-applocker-datastream branch July 26, 2023 05:52
@elasticmachine
Copy link

Package windows - 1.27.0 containing this change is available at https://epr.elastic.co/search?package=windows

gizas pushed a commit that referenced this pull request Sep 5, 2023
@nicpenning @gizas
[windows] Add Initial AppLocker Data Stream (EXE and DLL) (#6977)
e245a51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

@leehinman leehinman Awaiting requested review from leehinman leehinman is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees
No one assigned
Labels
Integration:windows Windows New Integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@nicpenning @elasticmachine @efd6 @andrewkroh @jamiehynds